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This module should be read in conjunction with the Introduction and with the 
Glossary, which contains an explanation of abbreviations and other terms used 
in this Manual. If reading on-line, click on blue underlined headings to activate 
hyperlinks to the relevant module. 


Purpose 
To set out the HKMA’s supervisory approach to operational resilience 
and provide Als with guidance on the general principles which they are 
expected to consider when developing their operational resilience 
framework. 


Classification 
A non-statutory guideline issued by the MA as a guidance note. 


Previous guidelines superseded 
This is a new guideline. 


Application 
To all Als. 


Structure 

1. Definition of operational resilience 

2 Operational resilience framework 

3. Role of the Board and senior management 

4 Determining operational resilience parameters 
4.1 Identifying critical operations 
4.2 Setting tolerance for disruption 
4.3 Identifying severe but plausible scenarios 


5, Mapping interconnections and interdependencies underlying critical 
operations 

6. Preparing for and managing risks to critical operations delivery 

7. Testing ability to deliver critical operations under severe but 


plausible scenarios 
8. Responding to and recovering from incidents 
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9. Implementation of operational resilience requirements 
9.1 Application 
9.2 Timeline for implementation 
9.3 Supervisory approach 
1. Definition of operational resilience 


1.1 


1.2 


1.3 


Operational disruptions (including those due to pandemics, cyber 
incidents, technology failures and natural disasters) can affect the 
viability of individual financial institutions, and in turn, the stability of 
the wider financial system. This underscores the significance of 
operational resilience as a supervisory focus and has motivated 
many regulators around the world and standard setting bodies to 
issue guidance that aims to improve the operational resilience of 
financial institutions. 
The Principles for Operational Resilience (POR) issued by the Basel 
Committee on Banking Supervision (BCBS) in March 2021 defines 
operational resilience as the ability of a bank to deliver critical 
operations through disruption. This ability enables a bank to identify 
and protect itself from threats and potential failures, respond and 
adapt to, as well as recover and learn from disruptive events in order 
to minimise their impact on the delivery of critical operations through 
disruption. 

The HKMA expects all Als in Hong Kong to be operationally resilient. 

The HKMA will consider an Al to be operationally resilient if it is able 

to satisfy the following requirements: 

° Identify and mitigate risks that may threaten delivery of critical 
operations. In relation to an Al, “critical operations” refers 
to: (i) activities, processes and services performed by the Al, 
as well as (ii) the supporting assets (including people, 
technology, information and facilities) necessary for the 
delivery of such activities and services, which if disrupted, 
could pose material risks to the viability of the Al itself or 
impact the Al’s role within the Hong Kong financial system’. 


1 These should include any “critical financial functions’, as defined in the Financial Institutions 
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° Continue to deliver critical operations when disruptions occur, 


including under severe but plausible scenarios. For this 
purpose, disruptions to an Al’s critical operations must not 


exceed its “tolerance for disruption”, which is defined as 
the maximum level of disruption to a critical operation that an 
Al can accept, and is in practice the point after which further 
disruption would pose risks to the viability of the Al or impact 
its role within the Hong Kong financial system. “Severe but 
plausible scenarios” refers to situations that would result in 
significant disruptions, and while unlikely to occur, remain 
probable. 

° Resume _normal operations in a _timely manner _after 
disruptions occur; and 


° Absorb learnings from disruptions or near misses to 
continually improve its ability to prevent, adapt to and recover 
from risks and disruptions to critical operations delivery. 


2. Operational resilience framework 

2.1 An Al should develop an operational resilience framework which 
enables it to satisfy the requirements detailed in Section 1.3. 

2.2 Given the importance of operational resilience for an Al to deliver 
critical operations through disruption and remain viable under 
extreme scenarios, an Al’s Board of Directors (Board)? and senior 
management are expected to actively participate in establishing, 
implementing and overseeing the operational resilience framework. 

2.3 Ata minimum, an Al should include the following components within 
its operational resilience framework. Further guidance on how Als 
may approach each of these components is provided in the 
subsequent sections of this module. 


° Mechanism for determining the operational resilience 
parameters, namely critical operations, tolerance for 





(Resolution) Ordinance and elaborated on in the Code of Practice “Cl-1 Resolution Planning — Core 
Information Requirements", that may be performed by the Al. 

2 References to the Board’s duties within this module may be discharged by the Board itself or a 
Board-level committee assigned to oversee operational resilience matters. 
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2.4 


disruption and severe but plausible scenarios. (Section 4) 

° Mapping exercises which enable an Al to develop a detailed 
understanding of the interconnections and interdependencies 
that underlie critical operations delivery, and in turn, identify 
what risks or events may affect or disrupt critical operations 
delivery. (Section 5) 

° Risk management policies_and frameworks that help an Al 
prepare for and manage the various risks to critical 
operations delivery in an integrated and holistic way. 
(Section 6) 

° Scenario testing which enables an Al to regularly assess 
whether it is able to continue delivering critical operations 
through disruption, including under severe but plausible 
scenarios. (Section 7) 

° An incident management programme which allows an Al to 
effectively respond to and manage disruptions to critical 
operations delivery. (Section 8) 

An Al may determine the most appropriate approach to developing 
its operational resilience framework, taking into account its particular 
circumstances’. Als may refer to Diagram 1 for an illustration of how 
the different components can be brought together to create a holistic 
operational resilience framework. It is important to note that 
developing operational resilience is an iterative process. The 
process will not always be linear. An Al should actively apply 
learnings from its implementation of the framework and the 
management of actual incidents to continually improve on the 
effectiveness of the framework. 


3 The HKMA is prepared to accept an Al to leverage on its group’s operational resilience framework 
so long as the framework enables the Al to materially fulfill the objectives and requirements of this 
module. An Al wishing to make use of this flexibility should discuss with the HKMA in advance. 


4 
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Diagram 1: Step-by-step approach to developing a holistic operational 





resilience framework 






3. 





1. Determine operational resilience parameters, i.e. 
mt, 


“critical operations”, “tolerance for disruption”, and 
“severe but plausible scenarios” (Section 4) 
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4. Respond to and recover from incidents (Section 8) , 


z 





Role of the Board and senior management 


3.1 


3.2 


The Board should be ultimately responsible for approving an Al’s 
operational resilience framework and for overseeing its 
implementation. When reviewing and approving the framework 
developed by senior management, the Board should take into 
consideration the Al’s risk appetite. For overseas incorporated Als, 
this role should rest with the management team at the head office or 
the regional headquarters overseeing the Hong Kong operations of 
the Al. 

Senior management should implement the operational resilience 
framework and ensure that sufficient resources (including financial, 
technological and otherwise) are allocated to this purpose. To 
facilitate the Board’s oversight, senior management should provide 
regular and timely reports to the Board on the ongoing operational 
resilience of the Al’s business units, particularly when significant 
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3.3 


3.4 


3.5 


deficiencies could affect the delivery of the Al’s critical operations. 

The Board and senior management should actively participate in the 

setting and review of an Al’s operational resilience parameters. 

Specifically: 

° The Board should approve and regularly review: (i) the 
criteria for determining an Al’s critical operations; and (ii) the 
actual list of critical operations. The reviews should be 
conducted no less than annually or when major operational 
changes occur. 

° The Board is responsible for approving the tolerance for 
disruption developed by senior management. Assisted by 
senior management, it should also review the tolerance for 
disruption at least on an annual basis or when major 
operational changes occur. 

° Senior management should identify and the Board should 
approve the severe but plausible scenarios which will be used 
to review whether an Al is operationally resilient. Both the 
Board and senior management should regularly review the 
continued relevance of the scenarios identified. 

The Board bears ultimate responsibility for ensuring that an Al 
remains operationally resilient. This would require the Board to 
ensure appropriate action is taken by senior management to 
address any deficiencies identified in an Al’s ability to remain within 
its tolerance for disruption. In the event that there is more than one 
source of deficiency, the Board should ensure that senior 
management suitably prioritise the remedial actions. As a general 
principle, the Board should ensure focus is placed on making 
improvements to those areas that would result in larger disruptions, 
higher risks or are facing more significant deficiencies. For instance, 
an Al should prioritise a critical operation that would more sooner 
breach its tolerance for disruption over one that is less time 
sensitive, or a critical operation that is further away from remaining 
within its tolerance for disruption over one that is largely within its 
tolerance for disruption. 

The Board and senior management should regularly review the 
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4. 


3.6 


suitability and effectiveness of the Al’s operational resilience 
framework. These reviews are particularly important following 
operational changes and during the transitory period after an 
operational change comes into effect. 

The Board should play an active role in establishing a broad 
understanding of the Al’s operational resilience framework. It should 
oversee and ensure clear communication of the objectives of the 
framework to all relevant parties, including staff, intragroup entities 
and third parties. Regular training on the Al’s operational resilience 
framework should be provided to staff to reinforce their 
understanding. 


Determining operational resilience parameters 


4.1 


Identifying critical operations 

4.1.1 As a first step to developing a sound operational resilience 
framework, an Al should identify its critical operations. The 
number of critical operations identified should be 
commensurate with the size, nature and complexity of the 
Al’s operations. 

4.1.2 When identifying its critical operations, an Al should take into 
consideration a set of defined criteria. These criteria should 
allow an Al to critically assess whether an operation, if 
disrupted, would affect: 

(a) The Als viability. Possible factors to consider include 
the impact on customers and personnel, and financial, 
reputational, legal and regulatory implications. 

(b) The Al’s role in the Hong Kong financial system. 
Possible factors to consider include how disruptions 
may affect specific market roles played by the Al (e.g. 
note issuance or clearing) as well as relationships with 
counterparties in the interbank market. 

For the avoidance of doubt, while the set of criteria defined 

by Als for identifying critical operations should encompass 

elements of both (a) and (b) above, a given operation need 

not impact both (a) and (b) in order for it to be classified as a 
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critical operation. 

In the process of identifying its critical operations, an Al may, 
where appropriate, leverage on relevant concepts covered 
within its recovery and resolution plans. 


4.2 Setting tolerance for disruption 


4.2.1 


4.2.2 


A tolerance for disruption should be set for each critical 
operation. It should include at least a time-based metric, but 
may also include a combination of other quantitative (e.g. 
volume or value of transactions) and qualitative metrics (e.g. 
reputational or legal implications). 

In setting the tolerance for disruption, consideration should 
be given to an Al’s operational capabilities given a broad 
range of severe but plausible scenarios that would affect its 
critical operations. Als should be aware that their operational 
capabilities may vary during different business cycles or as a 
result of seasonal factors. For instance, during the periods of 
time when more initial public offerings are launched, an Al’s 
trading systems are more likely to come under stress, which 
could weaken the Al’s ability to respond under severe but 
plausible scenarios. 


4.3 Identifying severe but plausible scenarios 


4.3.1 


4.3.2 


Als should identify a range of scenarios of different nature, 
severity and duration relevant to its business and risk profile. 
Examples of scenarios that Als may consider include, but are 
not limited to, pandemics, natural disasters, and failures or 
disruptions at a third party or within the third party’s supply 
chain. 

When identifying the scenarios, Als should make reference 
to previous incidents or near misses within the institution or 
across financial sectors, as well as in other sectors or 
jurisdictions, or any situations that could result in significant 
disruptions given the changing operational landscape. 
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5. 


Mapping interconnections and interdependencies 
underlying critical operations 


5.1 


5.2 


5.3 


5.4 


The appropriate functions within an Al should identify and 
document: (i) the people, processes, technology, information, 
facilities; and (ii) the interconnections and interdependencies among 
these factors that are necessary for the Al to deliver its critical 
operations. When considering (ii), an Al should also include those 
interconnections and interdependencies that depend on third parties 
and intragroup arrangements. 

The approach and level of granularity of mapping should be 
sufficient to enable the Al to identify vulnerabilities and facilitate the 
testing of the Al’s ability to deliver critical operations through 
disruptions. Als should also consider whether the approach 
adopted for mapping under its operational resilience framework is 
appropriately harmonised with that adopted for recovery and 
resolution planning purposes. 

The mapping documentation should be prepared in a way that is 
proportionate to the Al’s size, scale and complexity. It should also 
be usable by all relevant parties in the event of disruptions. 

Als are expected to review, and where necessary update, their 
mapping documentation on a regular basis, but no less than 
annually or following any material changes to their operations. 


Preparing for and managing risks to critical operations 
delivery 


6.1 


6.2 


Als should be prepared to manage all risks with potential to affect 
critical operations delivery. As a given critical operation may face a 
number of risks, Als should leverage different risk management 
frameworks, as appropriate, to offer holistic and comprehensive 
support to the critical operation. 

The HKMA expects that Als should, at a minimum, take into 
consideration the following risk management components with 
respect to operational resilience:- 


° Operational __risk__ management: As operational risk 
management focuses on preventing and minimising 
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operational losses, it contributes to an Al’s efforts to maintain 
operational resilience. Operational risk management should 
therefore be considered as a crucial element of an effective 
operational resilience framework. 

° Business continuity planning and testing: Business continuity 
planning and testing supports an Al’s ability to prepare for and 
recover from emergencies or disasters, and therefore 
contributes to an Al’s ability to continue delivering its critical 
operations through disruptions. Accordingly, Als should 
ensure that their critical operations are subject to appropriate 
business continuity planning and testing arrangements. 

° Third-party dependency management: As Als increasingly 
engage third parties or intragroup entities for the provision of 
services or delivery of functions, they should endeavour to 
prevent disruptions at these entities from affecting critical 
operations delivery. To ensure potential risks to critical 
operations are minimised, Als should manage their 
dependencies on third parties and intragroup entities as they 
would with outsourcing arrangements. Prior to entering into 
arrangements that support the delivery of critical operations, 
an Al should verify whether the relevant third parties or 
intragroup entities have at least equivalent level of 
operational resilience to that of the Al. Where such 
verification is not feasible, the Al should take alternative steps 
to satisfy itself that the engagement of the third party or 
intragroup entity would not weaken its ability to deliver critical 
operations in the event of a disruption. During the course of 
engagement, an Al should have adequate arrangements in 
place to continually satisfy itself that the third party or 
intragroup entity has maintained an acceptable level of 
operational resilience. In addition, an Al should develop 
appropriate business continuity and contingency planning 
procedures and exit strategies to maintain its operational 
resilience in the event of a failure or disruption at a third party 
or intragroup entity which may impact its delivery of critical 


10 
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6.3 


operations. An Al should not enter into, or continue, any third 
party or intragroup arrangements that may weaken the 
operational resilience of the Al’s critical operations. 

° Information and Communication Technolo ICT) includin 
cyber security: Growing technology adoption raises the 
likelihood that an Al’s critical operations may depend on or 
may be affected by lapses in ICT risk management. To 
minimise risks in this regard, Als should have in place an ICT 
policy which covers cyber security, as well as arrangements 
for ensuring the confidentiality, integrity and availability of 
critical information assets. 

Als should note that most of the risk management considerations 

associated with operational resilience are not new, and are already 

covered by existing HKMA guidance. These include but are not 
limited to: Supervisory Policy Manual (SPM) modules “TM-G-1 


General Principles for Technology Risk Management”, “TM-G-2 
Business Continuity Planning’, “OR-1 Operational Risk 


Management”, “SA-2 Outsourcing”, as well as “Cyber Resilience 
Assessment Framework 2.0”. Als should refer to and ensure that 


they are compliant with the supervisory requirements contained 
therein. 


Testing ability to deliver critical operations under severe 
but plausible scenarios 


7.1 


7.2 


Als should conduct regular testing of their operational resilience 

framework to ensure that they are able to continue delivering their 

critical operations through disruptions, including under severe but 
plausible scenarios. 

When considering the testing requirement, Als should take into 

account the following: 

° The testing exercises should include realistic assumptions, 
and should encompass the Aľs interconnections and 
interdependencies, including those through relationships with 
intragroup entities and third parties. 

° The frequency of testing should be determined based on a 


11 
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variety of factors, including the potential impact of a 
disruption, how many critical operations an Al has, and 
whether the operating environment has materially changed. 

° Different types of testing (e.g. paper-based, simulations or 
live-systems testing) serve different purposes and Als should 
deploy the most appropriate type of testing based on the 
nature or needs of the specific testing exercise. An Al should 
also consider and carefully manage the risks that may be 
introduced by the testing itself. 

° Als should deploy staff with appropriate expertise to conduct 
the testing. The testing approach should dictate the type of 
staff involved, including their seniority, qualifications as well 
as the function (e.g. first, second or third line of defence) from 
which they are sourced. 

° Als should consider how they may leverage the testing 
exercises to enhance their staff's operational resilience 
awareness and readiness to operate during disruptions, 
thereby improving their ability to effectively adapt and 
respond to different types of disruptive events. 

7.3 Where practicable, Als may leverage on existing testing 
arrangements, including those devised for business continuity 
planning purposes, to fulfill the testing requirement relating to 
operational resilience. An Al should be able to demonstrate how an 
existing testing exercise enables it to achieve the specific objectives 
of scenario testing for operational resilience purposes. 

7.4 After each testing exercise, an Al should prepare a formal testing 
report to record any gaps or weaknesses identified, as well as 
document the remedial actions planned. The reports should be 
reviewed by the Al’s senior management. 

8. | Responding to and recovering from incidents 


While an Al should dedicate adequate efforts to preventing 
disruptions, it should recognise that disruptions will occur no matter 
how robust its operational resilience framework is. An Al should 
therefore be prepared to manage and recover from incidents. 


12 
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8.2 Specifically, an Al should establish an effective incident 
management programme to manage all incidents, especially those 
that may impact its critical operations. The programme should cover 
those incidents that may arise due to dependencies, including those 
on third parties and intragroup entities. 

8.3 The incident management programme should capture the full life- 
cycle of any incidents and involve: 

° Classification of an incident’s severity based on predefined 
criteria. This should enable the Al to prioritise and allocate 
resources to respond to an incident. 

° Incident response and recovery procedures. These should 
be reviewed, tested and updated on a regular basis. Their 
connection to the Al’s business continuity, disaster recovery 
and other associated management plans and procedures 
should also be clearly documented. 

° Communication plans for reporting incidents to all relevant 
stakeholders, including both internal and external parties, as 
the circumstances of the incident may require. 
Communication, where appropriate, should take place during 
the incident (e.g. to provide performance metrics), and after, 
including to convey analysis of lessons learned. 

° Root cause analysis of incidents to help with the prevention 
or minimisation of recurrence. 

8.4 The incident management programme should be supported by an 
inventory of internal and third party resources to enable prompt 
incident response and recovery. It should also reflect the lessons 
learned from previous incidents, including those experienced by 
others. 

8.5 Als should note that the above requirements complement existing 


HKMA guidance on incident management. These include but are 


not limited to SPM modules “TM-G-2 Business Continuity Planning” 
and “TM-G-1 General Principles for Technology Risk Management”, 


and the HKMA’s circular on “Incident Response and Management 
Procedures” issued in June 2010. Als should review relevant 
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materials and ensure that they are compliant with the supervisory 
requirements contained therein. 

9. Implementation of operational resilience requirements 


9.1 


9.2 


Application 


9.1.1 


The requirements contained in this module apply to all Als. 
Locally incorporated Als should endeavour to implement the 
guidance of this module with respect to their subsidiaries and 
overseas operations, and for overseas incorporated Als with 
respect to their operations in Hong Kong. 

In line with the HKMA’s risk-based approach to supervision, 
Als are expected to implement the requirements in a 
proportionate manner and develop an operational resilience 
framework that is “fit for purpose”, i.e. commensurate with 
their nature, size, complexity and risk profile. 


Timeline for implementation 


9.2.1 


9.2.2 


By 1 year after the date upon which the final module is issued, 
the HKMA expects an Al to have: 
(a) Developed its operational resilience framework; and 
(b) Determined the timeline by which it will have 
implemented the operational resilience framework, 
and become operationally resilient. 
For the purposes of 9.2.1(a), Als are expected to have 
identified the operational resilience parameters and 
commenced a basic programme of mapping. The latter will 
be crucial to ensuring that an Al adequately understands the 
interconnections and interdependencies that underlie its 
critical operations, and in turn, is able to develop the other 
components of its operational resilience framework, including 
to identify the specific types of risks to critical operations 
delivery that need to be addressed, as well as how to most 
suitably conduct testing. The HKMA recognises that Als may 
not be able to produce mapping that reaches the full level of 
sophistication at the initial stage, and instead, would expect 
Als to make continual improvements as they obtain more 
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9.2.3 


experience in implementing their operational resilience 
frameworks. 

Given the importance of operational resilience, the HKMA 
expects Als to become operationally resilient as soon as 
practicable. That said, the HKMA also recognises that 
becoming operationally resilient is a resource-intensive 
exercise (for reasons including that it involves mapping 
exercises which may be more complex for larger Als, and 
could involve substantial system changes). Taking into 
consideration the need to accommodate Als of different size 
and complexity, the HKMA has decided to allow Als up to 3 
years to become operationally resilient. In other words, the 
timeline specified under Section 9.2.1(b) should not extend 
beyond 3 years from 1 year after the date upon which the final 
module is issued. After this point in time, an Al will be 
expected to have fully implemented its operational resilience 
framework, including to have conducted scenario testing, and 
be able to satisfy the requirements in Section 1.3. 
Notwithstanding the 3-year time limit, Als are encouraged to 
become operationally resilient as soon as their circumstances 
allow. The HKMA will engage in active discussions with Als 
to review the suitability of their proposed timelines. 


9.3 Supervisory approach 


9.3.1 


Following its risk-based supervisory approach, the HKMA will 
assess the effectiveness of the operational resilience 
frameworks of Als through a combination of risk-focused on- 
site examinations, off-site reviews and prudential meetings. 
Where needed, Als may be required to submit self- 
assessments of their ability to remain operationally resilient. 
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